EXHIBIT 10.1 AMENDMENT NUMBER ONE TO THE EXECUTIVE MEDICAL PLAN OF THE COCA-COLA COMPANY THIS AMENDMENT to the Executive Medical Plan of The Coca-Cola Company (the "Plan") is adopted by the Plan Administrator. W I T N E S S E T H: WHEREAS, Section 10 of the Plan provides that the Plan Administrator may amend the Plan at any time; and WHEREAS, the Plan Administrator wishes to amend the Plan to address the use and disclosure of protected health information. NOW, THEREFORE, the Plan Administrator hereby amends the Plan as follows: Effective April 14, 2003, the following new Section 12 shall be added: 12. PROTECTED HEALTH INFORMATION 12.1 USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION. The Plan will use and disclose protected health information (PHI) for purposes related to the treatment through, payment for, and operation of health care functions. The Plan will disclose PHI to the Company only after receipt of proper confirmation from the Company that the Plan document has been amended to incorporate the following provisions and/or conditions relating to the use and disclosure of PHI. (a) Payment for health care functions includes those activities undertaken by or performed on behalf of the Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Plan with respect to an individual to whom health care services are provided. Activities that constitute payment activities include, but are not limited to, the following activities: 1. Determination of eligibility or coverage (including the determination of cost sharing amounts); 2. Coordination of benefits; 3. Adjudication or subrogation of health benefit claims; 4. Risk adjusting amounts due based upon enrollee health status and demographic characteristics; 5. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing; 6. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; 7. Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and 8. Disclosure to consumer reporting agencies of any of the following health information relating to collection of premiums or reimbursement: (i) Name and address; (ii) Date of birth; (iii) Social Security Number; (iv) Payment history; (v) Account number; and (vi) Name and address of the health care provider and/or health plan. (b) Health Care Operations include, but are not limited to, the following activities: 1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (provided that the obtainment of generalizable knowledge is not the primary purpose of any studies resulting from such activities); 2. Population-based activities relating to the improving health or reducing health care costs, protocol development, case management and care coordination, and contacting of health care providers and patients with information about treatment alternatives (and related functions that do not include treatment); 3. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs for students, trainees, or practitioners in areas of health care, and training of non-health care professionals; 4. Accreditation, certification, licensing, or credentialing activities; 5. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance); 6. Conducting or arranging for medical review, legal services, and auditing functions (including fraud and abuse detection and compliance programs); 7. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Plan, including formulary development and administration, development or improvement of methods of payment or coverage policies; 8. Business management and general administrative activities of the Plan, including (but not limited to): (i) Management activities relating to implementation of and compliance with the requirements of HIPAA's administrative simplification regulations; (ii) Customer service, including the provision of data analyses for policy holders or other customers (provided that protected health information is not disclosed to such policy holder or customer); (iii) Resolution of internal grievances; (iv) Due diligence in connection with the sale or transfer of assets to a potential successor in interest (if the potential successor in interest is a covered entity under HIPAA or will become a covered entity following the sale or transfer); and (v) Creating de-identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required. 12.2 USE AND DISCLOSURE OF PHI AS REQUIRED BY LAW OR AS PERMITTED BY AUTHORIZATION OF THE PARTICIPANT OR BENEFICIARY. With authorization, the Plan will disclose PHI to the other plans sponsored by the Company for purposes related to administration of these plans. 12.3 CONDITIONS RELATING TO THE USE AND DISCLOSURE OF PHI BY THE COMPANY THE COMPANY AGREE TO THE FOLLOWING CONDITIONS RELATING TO THE USE AND DISCLOSURE OF PHI: (a) The Company will not use or further disclose PHI other than as permitted or required by the Plan document or required by law; (b) The Company will ensure that any agents, including subcontractors, to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Company with respect to such PHI; (c) The Company will not use or disclose PHI for employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the Company (unless authorized to do so by the individual); (d) The Company will report to the Plan any use or disclosure of PHI that is inconsistent with the uses or disclosures provided for in the Plan document of which the Company becomes aware; (e) The Company will make PHI available to the individual in accordance with the access requirements of HIPAA; (f) The Company will make PHI available to the individual for amendment and incorporate any amendments to PHI in accordance the amendment requirements of HIPAA; (g) The Company will make available such information as is required to provide an accounting of disclosures in accordance with the requirements of HIPAA; (h) The Company will make its internal practices, books, and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of Health and Human Services for purposes of determining compliance by the Plan with the requirements of HIPAA; (i) The Company will, if feasible, return or destroy all PHI received from the Plan that the Company still maintains in any form and retain no copies of such PHI when no longer needed for the purpose for which the disclosure was made. Where such return or destruction is not feasible, the Company will limit further uses or disclosures to those purposes that make the return or destruction of the PHI infeasible. 12.4 ESTABLISHMENT AND MAINTENANCE OF ADEQUATE SEPARATION BETWEEN THE COMPANY. In accordance with the requirements of HIPAA, only the following employees/classes of employees will be given access to PHI to be disclosed: Barbara Gilbreath Sharon Ray Leah Thomason Jill Welch Angela Green Cheryl Lee Inga Vaystikh Smith Ann Kroboth Sandy Lewis Lisa Bremmer Porcha Cook Lisa Taylor The persons described above will only have access to and use PHI for purposes of Plan administration functions that the Company performs for the Plan. 12.5 NONCOMPLIANCE BY PLAN ADMINISTRATIVE PERSONNEL: In the event that the employee/ class of employees described in subsection 12.4 above fail to comply with the terms of the Plan document, the Company shall provide an effective mechanism for the resolution of any such noncompliance issues, to include disciplinary measures. IN WITNESS WHEREOF, the Plan Administrator has adopted this Amendment on the date shown below, but effective as of the dates indicated above. Plan Administrator By: /s/ Barbara S. Gilbreath --------------------------------- Date 4/15/03 ---------------------------------